Research paper: Windows 8 picture passwords can be cracked

We are constantly told that, when creating new online accounts, we should take the time to generate passwords that cannot be easily guessed. However, many people don't heed this advice and create passwords that are simple and commonly used. Of course even with a secure password, attackers can target the backend database or steal keystrokes from your PC, making the password worthless.

In 2011, Microsoft announced it had come up with a way to use a combination of images and touchscreen gestures to create a password system for accessing Windows 8. Microsoft said that it would be far more secure than PIN numbers or passwords because users would have a potential of 1,155,509,083 different ways to touch an image via taps, circles and lines.

That sounds like an ideal security system, but a recent research paper now claims many picture passwords in Windows 8 can be cracked. As with character-based passwords, the method to figure out a picture and gesture code is due to the fact that many people create patterns that are easy to discover.

The study was created by researchers from Arizona State University, Delaware State University and GFS Technology Inc. for the USENIX Security Symposium. The study found that many Windows 8 users upload their own photo for use in the picture password system and then come up with touchscreen gestures that center on objects in the image that stand out, such as a nose, mouth or eye if a person is in the picture.

The researchers polled 685 Windows 8 users and asked them to create gesture combinations for passwords with two different pictures. 60.3 percent of the participants said they used "special objects" in the images to map out their gestures. Only 9.8 percent of those polled indicated they created gestures that had nothing to do with what what was seen in their images.

Based on what the study participants indicated, the researchers then created an algorithm and attack system for picture passwords in Windows 8. The team claims they were able to crack 48 percent of those passwords based on their system. They suggest that Microsoft come up with a picture password strength meter that could be used to help Windows 8 owners make more complex patterns that cannot be repeated quickly by hackers.

Source: USENIX Security Symposium via Network World | Image via Microsoft

Report a problem with article
Previous Story

Bing Maps adds 13 million square kilometers of global aerial imagery

Next Story

More info on IE11 video streaming features for Windows 8.1 revealed

26 Comments

Commenting is disabled on this article.

silly research. I wouldn't have given the guy who wrote the paper degree if I were professor. any password can be cracked. its just the matter of guessing or brute force. this has been the case since computer has been invented.

Indeed, a "secure password" is something of a contradiction in terms these days. Two factor that relies on both a password AND a physical device (biometric, mobile phone, smart card, etc) is the way to go for everything.

Anyone who uses a picture password should expect to have it broken. More likely by an observant friend or family member then a hacker though.

MDboyz said,
Give the most secured system in the world to an idiot, it will become useless !!!

So did you get useless system then.

I'm not one of the person crying out that picture password is not secured like you ... so I guess you know the answer.

Auditor said,

So did you get useless system then.

Windows 8 forces password entry if you fail to provide the correct picture password 5 times, so I doubt their claim of the attack system that cracked 48 percent of them.

If you really need security strong on your device don't use a picture password, or a PIN (my fav at home) nor should you use your name as a password. You also shouldn't write it down and put it under the keyboard... not sure why this is a story.

MorganX said,
If you really need security strong on your device don't use a picture password, or a PIN (my fav at home) nor should you use your name as a password. You also shouldn't write it down and put it under the keyboard... not sure why this is a story.

Let's sticky tape a land mine on top of the keyboard so no one will touch it xD
I mean any secure system can be cracked is not funny anymore...

Edited by Kenny Kanashimi Chu, Sep 8 2013, 3:36am :

This paper is just silly. Obviously, if a user selects obvious objects/motions it will be easier to crack. Users in general need to learn to beef up their passwords (and picture passwords). I for one love using Picture Passwords on my tablet

So we needed this paper to remind us that any password system can be cracked when you have an easy point of failure which is the user?

i think this has the potential to be a secure security system, but Microsoft need to pay their part in making sure that the users know how to use it correctly. Maybe something that detects if a gesture can be easily guessed would be a good idea, or a message that says not to choose gestures around obvious things in the picture. In my opinion, the example picture doesn't provide this.

well the point of that picture password is "obvious things" .. else you could just have a blank screen and let them draw something on it out of their head

The problem is that picture passwords create a very easy vehicle for weak passwords that "seem" strong because, hey, computers are bad with images right? With text passwords at least you get a sense of how obvious it is to crack when you make it (ex. is it a word from the dictionary)

Picture Passwords are stronger than text passwords, however it has the same flaw that text passwords have which is choosing obvious objects/motions (just like people use obvious words for text passwords).

'The team claims they were able to crack 48 percent of those passwords based on their system.'
Doesn't seem like a flaw with the system to me, seems 48% of people that used it were idiots and set up very obvious movements.

n_K said,
Doesn't seem like a flaw with the system to me, seems 48% of people that used it were idiots and set up very obvious movements.

Not being informed about the risks doesn't make people "idiots", though it does show poor judgement. I mean, we're not talking about people using the word "password" for a password here. What is needed is for users to be informed of the risks, something which Microsoft is responsible for.

theyarecomingforyou said,

Not being informed about the risks doesn't make people "idiots", though it does show poor judgement. I mean, we're not talking about people using the word "password" for a password here. What is needed is for users to be informed of the risks, something which Microsoft is responsible for.


There was a recent survey done this year on sites and people were still found to be using stupid passwords like password. Yes MS could do better to inform users of how to make secure picture passwords but I think at the end of the day, there will always be people that choose to ignore every bit of common sense and use a stupid password or set up an incredibly obvious pattern.

Sadelwo said,
I have seen computers where the password hint IS the password. Yep.
I always mock people trying to get in my system if they look at the password hint